[tor-bugs] #9536 [EFF-HTTPS Everywhere]: Doesn't respect CSP policies
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Aug 19 16:55:17 UTC 2013
#9536: Doesn't respect CSP policies
----------------------------------+-----------------------------------------
Reporter: Erom2 | Owner: pde
Type: defect | Status: new
Priority: normal | Milestone:
Component: EFF-HTTPS Everywhere | Version:
Keywords: | Parent:
Points: | Actualpoints:
----------------------------------+-----------------------------------------
Assume a site pulls scripts from a CDN, like cdnjs.cloudflare.com using
the http protocol, and has a script-src of "http://cdnjs.cloudflare.com"
set in the Content-Security-Policy header.
If a user with HTTPS Everywhere installed were to browse on the site, it
would try to fetch the scripts using https, which is forbidden by the CSP
header, thus breaking the site.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9536>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list